[Dshield] Hiding IP's

Brian Dessent brian at dessent.net
Mon Aug 22 08:36:41 GMT 2005


Valdis.Kletnieks at vt.edu wrote:

> True.  I was addressing the specific comment that "anybody saying spoofing is
> easy doesn't have clue" - which is dangerously misleading.  For the Windows
> example, what *appears* to be a 600K packet SYN flood of the server from 12
> sources will yield enough information to have about a 79% chance of success of
> one of the 12 sources creating a spoofed connection.

I guess it depends on how you define trivial.  Some of the other
operating systems (none of which are in widespread server use) in the
Zalewski paper pretty much fit the textbook definition of trivial ISN
guessing, whereas Windows at least tries to put up a fight.  I'm not one
to defend Microsoft here and they could certainly improve, but it's a
lot harder than e.g. "look at the ISN of prior connection and increment
by one" which is what I'd call trivial.

And of course the *mumble* percent of connected hosts that don't run
Vendor M are more or less immune entirely.

But in whole you're right, I should have not stated in such stark terms
that spoofing was completely out of the question.  I guess the crux of
my argument was more along the lines of "ignore the l33t idiots that
claim that they spoof their IP address for surfing web sites" and not
"spoofing is impossible."

Brian


More information about the list mailing list